DSA: deprecate the low level functions.

[paulidale]

• documentation is added or updated
• tests are added or updated

[paulidale]

Still WIP: evp_extra_test needs to be updated to not use the low level calls.

[slontis]

I foresee some merge problems for me.

[levitte]

Poor @paulidale... between @mattcaswell and me, life can't be easy 😉

[paulidale]

Poor @paulidale...

This is the least of my problems...

[paulidale]

Open questions are:

1. DSA_SIG related function -- deprecate or not?
2. ASN.1 functions -- deprecate or not?
3. printing functions -- deprecate or not?
4. DSA_size, DSA_bits, DSA_security_bits functions -- deprecate or not?

[levitte]

The general viewpoint that at least @mattcaswell and I share nowadays is that the key creation functions should not be deprecated, but the rest goes. In other words, it should remain possible to DSA_new(), then a bit of DSA_set0_pqg() and DSA_set0_key(), and finish it off with EVP_PKEY_assign_DSA(), and anything else should become a matter of using functions that accept a EVP_PKEY.

That's at least how I understood things. But it dawns on me now that @mattcaswell talked about deprecating the functions that do calculations using the keys (encryption, decryption, ...), so it seems like he has a more conservative viewpoint than me, after all.

But on direct questions:

1. DSA_SIG functions need to stay for the moment, for the simple reason that we don't have a replacement. We should, however, have a think of making a signature not only a provided method, but also a first class object on the provider level, allowing us to pick out its pieces with OSSL_PARAM arrays just like any other provider object.
2. ASN.1 encoding/decoding functions should essentially become increasingly deprecated, as we add serializers and deserializers. We already have the serializers in place, but not the deserializers, and I think it's fine to wait until they are implemented.
3. I would deprecate the printing functions without any hesitation, especially since they are just wrappers around the EVP_PKEY printing functions.

[mattcaswell]

IMO:

• DSA_SIG functions should stay.
• ASN1 encoding/decoding should stay
• I'm ok with deprecating the printing functions
• size/bits/security_bits seems like a bit of a grey area to me. Is it more like getting parameters "p/q/g" which we allow, or is it more like a "crypto" operation. On reflection, I suppose there may actually be some "calculation" involved to return these values - so I'm ok to deprecate.

[paulidale]

Thanks for the prompt feedback. Okay, DSA_SIG and ASN.1 are staying. The printing and bits/size functions are deprecated. Clarity is achieved :)

Travis is relevant...

[paulidale]

Travis is fixed.

Time to open the review floodgates ...

[paulidale]

Rebased to avoid conflicts.
Added deprecation warnings when command line apps are started.

[levitte]

In a no-deprecated configuration, we shouldn't even build the dsa (and dh, since you're already on a path to include that in this deprecation) related apps source. The formula for this in build.info is:

IF[{- !$disabled{deprecated} || $config{api} < 30000 -}]
  SOURCE[openssl]=dsa.c dsaparam.c
ENDIF

[levitte]

Er, did you actually mean to have that in this PR?

[paulidale]

Yes, I intend to push this as a separate commit.
I am willing to make it a separate PR if required, but it's easier here.

[levitte]

[Reopening this conversation after seeing comments from Matt on the subject.]

It turns out that these deprecations are premature.

[paulidale]

In a no-deprecated configuration, we shouldn't even build the dsa (and dh, since you're already on a path to include that in this deprecation) related apps source.

This cascades to test failures. I tried :)

[paulidale]

The partial dh deprecation is here only because dh relies on dsa for parameter generation. Fully deprecating dh is a lot more effort which I've got underway.

[levitte]

This cascades to test failures. I tried :)

Yup, there are a lot of tests that need a similar check. #10797 had a lot of failures related to exactly this, but from a different viewpoint.

[mattcaswell]

LGTM

[petrovr]

Richard Levitte wrote:

> Common --api=3.0.0 no-deprecated effectively removes today ! I will say this again: those are not default configuration options, *and they are not recommended for general use and cannot be considered "normal" use*. The intention with `no-deprecated` is to check if your application can build with all deprecated symbols removed, for those who really want to be that much on the bleeding edge. If that's not your application, *then do not use `no-deprecated`*, it's as simple as that.

And the error is in design - some symbols are marked depreciated without alternative. And this is my point - to mark as deprecated in 5.0 when is expected to exist valuable alternative. Regards Roumen Petrov

[levitte]

And this is my point - to mark as deprecated in 5.0 when is expected to exist valuable alternative.

Huh? Of course, it depends on what you mean with "valuable", but the EVP API with provider backing is the alternative.
(as a matter of fact, we have been pushing for EVP use for a long time, so even without the providers, it would have been perfectly sensible to deprecate the low-level functions)

[mattcaswell]

And the error is in design - some symbols are marked depreciated without
alternative.

If you believe that then I'd like to understand what symbols you think they are. AFAIK all symbols that we are deprecating have an alternative.

[paulidale]

Merged to master. Thanks for the reviews and feedback.